YITH WooCommerce Wishlist < 4.10.1 – Unauthenticated Wishlist Rename via IDOR | CVE 2025-12427 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Insecure Direct Object Reference via the REST API endpoint and AJAX handler due to missing validation on user-controlled keys. This makes it possible for unauthenticated attackers to discover any user's wishlist token ID, and subsequently rename the victim's wishlist without authorization (integrity impact). This can be exploited to target multi-user stores for defacement, social engineering attacks, mass tampering, and profiling at scale.

Affects Plugins

yith-woocommerce-wishlist

Fixed in 4.10.1

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/ffdb95ac-6b22-44a9-bd5c-b802a2d908d7

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Athiwat Tiprasaharn (Jitlada)

Verified

No

WPVDB ID

821b6774-80ec-4661-925e-72a39fc13f96

Timeline

Publicly Published

2025-11-18 (about 5 months ago)

Added

2025-11-18 (about 5 months ago)

Last Updated

2025-11-18 (about 5 months ago)

Other

Published

Title

Published

2024-10-25

Title

School Management System – WPSchoolPress < 2.2.11 - Insecure Direct Object Reference to Authenticated (Teacher+) Account Takeover/Privilege Escalation

Published

2024-08-16

Title

Propovoice CRM <= 1.7.8 - Unauthenticated Insecure Direct Object Reference

Published

2026-01-16

Title

Quick Contact Form < 8.2.7 - Unauthenticated Open Mail Relay

Published

2025-12-03

Title

HUSKY – Products Filter Professional for WooCommerce < 1.3.7.3 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'woof_add_query/woof_remove_query'

Published

2023-09-22

Title

Pre-Publish Checklist < 1.1.2 - Insecure Direct Object Reference to Arbitrary Post '_ppc_meta_key' Update